rust-for-linux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] docs: rust: extend abstraction and binding documentation
@ 2024-02-06  6:54 Dirk Behme
  2024-02-06  8:28 ` Valentin Obst
  2024-02-06 19:35 ` Miguel Ojeda
  0 siblings, 2 replies; 5+ messages in thread
From: Dirk Behme @ 2024-02-06  6:54 UTC (permalink / raw)
  To: rust-for-linux; +Cc: Dirk Behme, Miguel Ojeda

Add some basics explained by Miguel in [1] to the documentation.
And connect it with some hints where this is implemented in the
kernel.

[1] https://www.linuxfoundation.org/webinars/rust-for-linux-writing-abstractions-and-drivers

CC: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>
---
 Documentation/rust/general-information.rst | 56 ++++++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/Documentation/rust/general-information.rst b/Documentation/rust/general-information.rst
index 081397827a7ea..616e2f2c09220 100644
--- a/Documentation/rust/general-information.rst
+++ b/Documentation/rust/general-information.rst
@@ -64,6 +64,62 @@ but it is intended that coverage is expanded as time goes on. "Leaf" modules
 (e.g. drivers) should not use the C bindings directly. Instead, subsystems
 should provide as-safe-as-possible abstractions as needed.
 
+.. code-block::
+
+	                                                rust/bindings/
+                                                       (rust/helpers.c)
+
+                                                          include/ -----+ <-+
+                                                                        |   |
+         drivers/              rust/kernel/              +----------+ <-+   |
+           fs/                                           | bindgen  |       |
+          .../            +-------------------+          +----------+ --+   |
+                          |    Abstractions   |                         |   |
+       +---------+        | +------+ +------+ |          +----------+   |   |
+       | my_foo  | -----> | | foo  | | bar  | | -------> | Bindings | <-+   |
+       | driver  |  Safe  | | sub- | | sub- | |  Unsafe  |          |       |
+       +---------+        | |system| |system| |          | bindings | <-----+
+            |             | +------+ +------+ |          |  crate   |       |
+            |             |   kernel crate    |          +----------+       |
+            |             +-------------------+                             |
+            |                                                               |
+            +------------------# FORBIDDEN #--------------------------------+
+
+The main idea is to encapsulate all ``unsafe()`` handling in the abstractions reviewed
+and documented carefully. These are considered to be sound then. With this model
+it is assumed that users of the abstractions ("my_foo driver") can't do anything
+unsound if
+
+#. the abstractions are sound
+#. they don't use ``unsafe()``
+
+Bindings
+~~~~~~~~
+
+By including a C header from ``include/`` into ``rust/bindings/bindings_helper.h``
+the ``bindgen`` tool will auto-generate the bindings for the included subsystem.
+See the ``*_generated.rs`` output files in the ``rust/bindings/`` directory.
+
+For parts of the C header ``bindgen`` doesn't auto generate, e.g. C ``inline``
+functions, there is the option to add a small wrapper function to ``rust/helpers.c``
+to make it available for the Rust side as well.
+
+Abstractions
+~~~~~~~~~~~~
+
+Abstractions are the glue layer between the bindings and the in-kernel users. E.g.
+the drivers or file systems written in Rust. They are located in ``rust/kernel/``
+and are supposed to make the ``unsafe()`` access to the bindings as-safe-as-possible
+for their users.
+
+Tutorial
+~~~~~~~~
+
+The webinar `Rust For Linux: Writing Safe Abstractions & Drivers`
+
+	https://www.linuxfoundation.org/webinars/rust-for-linux-writing-abstractions-and-drivers
+
+has an introduction to this topic.
 
 Conditional compilation
 -----------------------
-- 
2.28.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] docs: rust: extend abstraction and binding documentation
  2024-02-06  6:54 [PATCH] docs: rust: extend abstraction and binding documentation Dirk Behme
@ 2024-02-06  8:28 ` Valentin Obst
  2024-02-06 19:35 ` Miguel Ojeda
  1 sibling, 0 replies; 5+ messages in thread
From: Valentin Obst @ 2024-02-06  8:28 UTC (permalink / raw)
  To: dirk.behme; +Cc: ojeda, rust-for-linux, Valentin Obst

+.. code-block::
+
+	                                                rust/bindings/
+                                                       (rust/helpers.c)
+
+                                                          include/ -----+ <-+
+                                                                        |   |
+         drivers/              rust/kernel/              +----------+ <-+   |
+           fs/                                           | bindgen  |       |
+          .../            +-------------------+          +----------+ --+   |
+                          |    Abstractions   |                         |   |
+       +---------+        | +------+ +------+ |          +----------+   |   |
+       | my_foo  | -----> | | foo  | | bar  | | -------> | Bindings | <-+   |
+       | driver  |  Safe  | | sub- | | sub- | |  Unsafe  |          |       |
+       +---------+        | |system| |system| |          | bindings | <-----+
+            |             | +------+ +------+ |          |  crate   |       |
+            |             |   kernel crate    |          +----------+       |
+            |             +-------------------+                             |
+            |                                                               |
+            +------------------# FORBIDDEN #--------------------------------+
+
+The main idea is to encapsulate all ``unsafe()`` handling in the abstractions reviewed
+and documented carefully. These are considered to be sound then.

Maybe reword a bit to make it smoother:

The main idea is to encapsulate all ``unsafe()`` handling in carefully
reviewed and documented abstractions. These are then considered to be
sound.

> 								  With this model
> +it is assumed that users of the abstractions ("my_foo driver") can't do anything
> +unsound if

Not sure if 'assumed' is the best word here. Isn't the soundness
of safe code implied by the soundness of the safe abstractions it is
using? In that case one could use stronger words and say, e.g.,
"... ensured that ...".

> +
> +#. the abstractions are sound
> +#. they don't use ``unsafe()``
> +
> +Bindings
> +~~~~~~~~
> +
> +By including a C header from ``include/`` into ``rust/bindings/bindings_helper.h``
> +the ``bindgen`` tool will auto-generate the bindings for the included subsystem.
> +See the ``*_generated.rs`` output files in the ``rust/bindings/`` directory.
> +
> +For parts of the C header ``bindgen`` doesn't auto generate, e.g. C ``inline``
> +functions, there is the option to add a small wrapper function to ``rust/helpers.c``
> +to make it available for the Rust side as well.
> +
> +Abstractions
> +~~~~~~~~~~~~
> +
> +Abstractions are the glue layer between the bindings and the in-kernel users. E.g.
> +the drivers or file systems written in Rust.

Wouldn't start a sentence with 'e.g.'. I'd either write it out, i.e.,
"For example,", or not start a new sentence: "... users, e.g. ...".

> 						They are located in ``rust/kernel/``
> +and are supposed to make the ``unsafe()`` access to the bindings as-safe-as-possible
> +for their users.
> +

I think one could make it more clear that users are not expected to
access the bindings directly, e.g.:

... and their role is to encapsulate the ``unsafe()`` access to the
bindings into a safe API that they expose to their users.

Note: Looks like you only sent this to Miguel and RFL list (intentional?).

	- Best Valentin

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] docs: rust: extend abstraction and binding documentation
  2024-02-06  6:54 [PATCH] docs: rust: extend abstraction and binding documentation Dirk Behme
  2024-02-06  8:28 ` Valentin Obst
@ 2024-02-06 19:35 ` Miguel Ojeda
  2024-02-07  5:32   ` Behme Dirk (CM/ESO2)
  1 sibling, 1 reply; 5+ messages in thread
From: Miguel Ojeda @ 2024-02-06 19:35 UTC (permalink / raw)
  To: Dirk Behme; +Cc: rust-for-linux, Miguel Ojeda

On Tue, Feb 6, 2024 at 7:54 AM Dirk Behme <dirk.behme@de.bosch.com> wrote:
>
> CC: Miguel Ojeda <ojeda@kernel.org>

Nit: it is typically spelled Cc (i.e. camel case).

> +.. code-block::
> +
> +                                                       rust/bindings/
> +                                                       (rust/helpers.c)
> +
> +                                                          include/ -----+ <-+
> +                                                                        |   |
> +         drivers/              rust/kernel/              +----------+ <-+   |
> +           fs/                                           | bindgen  |       |
> +          .../            +-------------------+          +----------+ --+   |
> +                          |    Abstractions   |                         |   |
> +       +---------+        | +------+ +------+ |          +----------+   |   |
> +       | my_foo  | -----> | | foo  | | bar  | | -------> | Bindings | <-+   |
> +       | driver  |  Safe  | | sub- | | sub- | |  Unsafe  |          |       |
> +       +---------+        | |system| |system| |          | bindings | <-----+
> +            |             | +------+ +------+ |          |  crate   |       |
> +            |             |   kernel crate    |          +----------+       |
> +            |             +-------------------+                             |
> +            |                                                               |
> +            +------------------# FORBIDDEN #--------------------------------+

Thanks a lot for the effort of making that slide into ASCII :)

I could try to see if I can export the diagram into SVG and include it.

> +The main idea is to encapsulate all ``unsafe()`` handling in the abstractions reviewed
> +and documented carefully. These are considered to be sound then. With this model
> +it is assumed that users of the abstractions ("my_foo driver") can't do anything
> +unsound if
> +
> +#. the abstractions are sound
> +#. they don't use ``unsafe()``

Like Valentin, I feel the wording needs some improvement here. Part of
the confusion may be the `unsafe()` there -- it is unclear what it
means (especially given the parentheses).

It is true we want to encapsulate C APIs and we forbid calling
directly `bindings` outside subsystems / exceptional cases; and
ideally provide safe abstractions as much as possible. However, we are
not the ones "considering" the abstractions sound (or at least that
way of putting it may confuse readers). We do our best to have sound
abstractions, but it is not something we "decide". So if e.g. someone
passes a raw pointer and just dereferences it in a safe function, that
is most likely unsound and it should be fixed.

That is, in turn, what allows callers to avoid breaking things. In
other words, we don't "assume that users cannot do anything unsound"
(introduce UB?) -- quite the opposite: what we want (as much as
possible) is that they cannot introduce UB even if they tried.

And that applies even if users use `unsafe`, as long as they use it
correctly, i.e. as long as they don't break the preconditions of what
they use. It is just that the best case is that they do not even need
to use `unsafe` calls (this is why we want that APIs are as safe as
possible, because then we minimize the chances that users get it wrong
and introduce UB).

> +Abstractions
> +~~~~~~~~~~~~
> +
> +Abstractions are the glue layer between the bindings and the in-kernel users. E.g.

Perhaps we should avoid "glue layer", since that sometimes implies
that it is a "thin" layer / "uninteresting" layer. However, the
abstractions are the actual interesting bits (and can be quite
complex, precisely to achieve the relaxation of safety preconditions,
i.e. making APIs "as safe as possible", that you mention below).

But it is quite subjective.

> +The webinar `Rust For Linux: Writing Safe Abstractions & Drivers`
> +
> +       https://www.linuxfoundation.org/webinars/rust-for-linux-writing-abstractions-and-drivers
> +
> +has an introduction to this topic.

I appreciate this, though some of the things in there are outdated, so
I am not sure about including this nowadays. Perhaps we should record
new ones instead :) Or, even better, I could "write" the talk in
written form here, which can be maintained and be kept up to date.
Relatedly, Benno is working on some extra documentation about how to
write safety preconditions that we will probably add around here when
it is ready.

Cheers,
Miguel

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] docs: rust: extend abstraction and binding documentation
  2024-02-06 19:35 ` Miguel Ojeda
@ 2024-02-07  5:32   ` Behme Dirk (CM/ESO2)
  2024-02-08 10:36     ` Benno Lossin
  0 siblings, 1 reply; 5+ messages in thread
From: Behme Dirk (CM/ESO2) @ 2024-02-07  5:32 UTC (permalink / raw)
  To: Benno Lossin, Miguel Ojeda; +Cc: rust-for-linux, Miguel Ojeda, Valentin Obst

On 06.02.2024 20:35, Miguel Ojeda wrote:
> On Tue, Feb 6, 2024 at 7:54 AM Dirk Behme <dirk.behme@de.bosch.com> wrote:
>>
>> CC: Miguel Ojeda <ojeda@kernel.org>
> 
> Nit: it is typically spelled Cc (i.e. camel case).
> 
>> +.. code-block::
>> +
>> +                                                       rust/bindings/
>> +                                                       (rust/helpers.c)
>> +
>> +                                                          include/ -----+ <-+
>> +                                                                        |   |
>> +         drivers/              rust/kernel/              +----------+ <-+   |
>> +           fs/                                           | bindgen  |       |
>> +          .../            +-------------------+          +----------+ --+   |
>> +                          |    Abstractions   |                         |   |
>> +       +---------+        | +------+ +------+ |          +----------+   |   |
>> +       | my_foo  | -----> | | foo  | | bar  | | -------> | Bindings | <-+   |
>> +       | driver  |  Safe  | | sub- | | sub- | |  Unsafe  |          |       |
>> +       +---------+        | |system| |system| |          | bindings | <-----+
>> +            |             | +------+ +------+ |          |  crate   |       |
>> +            |             |   kernel crate    |          +----------+       |
>> +            |             +-------------------+                             |
>> +            |                                                               |
>> +            +------------------# FORBIDDEN #--------------------------------+
> 
> Thanks a lot for the effort of making that slide into ASCII :)
> 
> I could try to see if I can export the diagram into SVG and include it.
> 
>> +The main idea is to encapsulate all ``unsafe()`` handling in the abstractions reviewed
>> +and documented carefully. These are considered to be sound then. With this model
>> +it is assumed that users of the abstractions ("my_foo driver") can't do anything
>> +unsound if
>> +
>> +#. the abstractions are sound
>> +#. they don't use ``unsafe()``
> 
> Like Valentin, I feel the wording needs some improvement here. Part of
> the confusion may be the `unsafe()` there -- it is unclear what it
> means (especially given the parentheses).
> 
> It is true we want to encapsulate C APIs and we forbid calling
> directly `bindings` outside subsystems / exceptional cases; and
> ideally provide safe abstractions as much as possible. However, we are
> not the ones "considering" the abstractions sound (or at least that
> way of putting it may confuse readers). We do our best to have sound
> abstractions, but it is not something we "decide". So if e.g. someone
> passes a raw pointer and just dereferences it in a safe function, that
> is most likely unsound and it should be fixed.
> 
> That is, in turn, what allows callers to avoid breaking things. In
> other words, we don't "assume that users cannot do anything unsound"
> (introduce UB?) -- quite the opposite: what we want (as much as
> possible) is that they cannot introduce UB even if they tried.
> 
> And that applies even if users use `unsafe`, as long as they use it
> correctly, i.e. as long as they don't break the preconditions of what
> they use. It is just that the best case is that they do not even need
> to use `unsafe` calls (this is why we want that APIs are as safe as
> possible, because then we minimize the chances that users get it wrong
> and introduce UB).
> 
>> +Abstractions
>> +~~~~~~~~~~~~
>> +
>> +Abstractions are the glue layer between the bindings and the in-kernel users. E.g.
> 
> Perhaps we should avoid "glue layer", since that sometimes implies
> that it is a "thin" layer / "uninteresting" layer. However, the
> abstractions are the actual interesting bits (and can be quite
> complex, precisely to achieve the relaxation of safety preconditions,
> i.e. making APIs "as safe as possible", that you mention below).
> 
> But it is quite subjective.
> 
>> +The webinar `Rust For Linux: Writing Safe Abstractions & Drivers`
>> +
>> +       https://www.linuxfoundation.org/webinars/rust-for-linux-writing-abstractions-and-drivers
>> +
>> +has an introduction to this topic.
> 
> I appreciate this, though some of the things in there are outdated, so
> I am not sure about including this nowadays. Perhaps we should record
> new ones instead :) Or, even better, I could "write" the talk in
> written form here, which can be maintained and be kept up to date.


Yes, that sounds really great! :)


> Relatedly, Benno is working on some extra documentation about how to
> write safety preconditions that we will probably add around here when
> it is ready.

Benno, is it worth to wait for that? I.e. drop this patch and wait for 
your version?


In general, I try to document/extend in Documentation/rust/ what I 
understood in RFL is different to "standard" Rust. This 
abstraction/bindings part is one of it. I have some additional topics 
like no_std usage (I think this not mentioned anywhere, yet?) and maybe 
error handling (in most cases we might not want to "crash" the kernel 
with panic).


Best regards

Dirk

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] docs: rust: extend abstraction and binding documentation
  2024-02-07  5:32   ` Behme Dirk (CM/ESO2)
@ 2024-02-08 10:36     ` Benno Lossin
  0 siblings, 0 replies; 5+ messages in thread
From: Benno Lossin @ 2024-02-08 10:36 UTC (permalink / raw)
  To: Behme Dirk (CM/ESO2), Miguel Ojeda
  Cc: rust-for-linux, Miguel Ojeda, Valentin Obst

On 2/7/24 06:32, Behme Dirk (CM/ESO2) wrote:
> On 06.02.2024 20:35, Miguel Ojeda wrote:
>> On Tue, Feb 6, 2024 at 7:54 AM Dirk Behme <dirk.behme@de.bosch.com> wrote:
>>>
>>> CC: Miguel Ojeda <ojeda@kernel.org>
>>
>> Nit: it is typically spelled Cc (i.e. camel case).
>>
>>> +.. code-block::
>>> +
>>> +                                                       rust/bindings/
>>> +                                                       (rust/helpers.c)
>>> +
>>> +                                                          include/ -----+ <-+
>>> +                                                                        |   |
>>> +         drivers/              rust/kernel/              +----------+ <-+   |
>>> +           fs/                                           | bindgen  |       |
>>> +          .../            +-------------------+          +----------+ --+   |
>>> +                          |    Abstractions   |                         |   |
>>> +       +---------+        | +------+ +------+ |          +----------+   |   |
>>> +       | my_foo  | -----> | | foo  | | bar  | | -------> | Bindings | <-+   |
>>> +       | driver  |  Safe  | | sub- | | sub- | |  Unsafe  |          |       |
>>> +       +---------+        | |system| |system| |          | bindings | <-----+
>>> +            |             | +------+ +------+ |          |  crate   |       |
>>> +            |             |   kernel crate    |          +----------+       |
>>> +            |             +-------------------+                             |
>>> +            |                                                               |
>>> +            +------------------# FORBIDDEN #--------------------------------+
>>
>> Thanks a lot for the effort of making that slide into ASCII :)
>>
>> I could try to see if I can export the diagram into SVG and include it.
>>
>>> +The main idea is to encapsulate all ``unsafe()`` handling in the abstractions reviewed
>>> +and documented carefully. These are considered to be sound then. With this model
>>> +it is assumed that users of the abstractions ("my_foo driver") can't do anything
>>> +unsound if
>>> +
>>> +#. the abstractions are sound
>>> +#. they don't use ``unsafe()``
>>
>> Like Valentin, I feel the wording needs some improvement here. Part of
>> the confusion may be the `unsafe()` there -- it is unclear what it
>> means (especially given the parentheses).
>>
>> It is true we want to encapsulate C APIs and we forbid calling
>> directly `bindings` outside subsystems / exceptional cases; and
>> ideally provide safe abstractions as much as possible. However, we are
>> not the ones "considering" the abstractions sound (or at least that
>> way of putting it may confuse readers). We do our best to have sound
>> abstractions, but it is not something we "decide". So if e.g. someone
>> passes a raw pointer and just dereferences it in a safe function, that
>> is most likely unsound and it should be fixed.
>>
>> That is, in turn, what allows callers to avoid breaking things. In
>> other words, we don't "assume that users cannot do anything unsound"
>> (introduce UB?) -- quite the opposite: what we want (as much as
>> possible) is that they cannot introduce UB even if they tried.
>>
>> And that applies even if users use `unsafe`, as long as they use it
>> correctly, i.e. as long as they don't break the preconditions of what
>> they use. It is just that the best case is that they do not even need
>> to use `unsafe` calls (this is why we want that APIs are as safe as
>> possible, because then we minimize the chances that users get it wrong
>> and introduce UB).
>>
>>> +Abstractions
>>> +~~~~~~~~~~~~
>>> +
>>> +Abstractions are the glue layer between the bindings and the in-kernel users. E.g.
>>
>> Perhaps we should avoid "glue layer", since that sometimes implies
>> that it is a "thin" layer / "uninteresting" layer. However, the
>> abstractions are the actual interesting bits (and can be quite
>> complex, precisely to achieve the relaxation of safety preconditions,
>> i.e. making APIs "as safe as possible", that you mention below).
>>
>> But it is quite subjective.
>>
>>> +The webinar `Rust For Linux: Writing Safe Abstractions & Drivers`
>>> +
>>> +       https://www.linuxfoundation.org/webinars/rust-for-linux-writing-abstractions-and-drivers
>>> +
>>> +has an introduction to this topic.
>>
>> I appreciate this, though some of the things in there are outdated, so
>> I am not sure about including this nowadays. Perhaps we should record
>> new ones instead :) Or, even better, I could "write" the talk in
>> written form here, which can be maintained and be kept up to date.
> 
> 
> Yes, that sounds really great! :)
> 
> 
>> Relatedly, Benno is working on some extra documentation about how to
>> write safety preconditions that we will probably add around here when
>> it is ready.
> 
> Benno, is it worth to wait for that? I.e. drop this patch and wait for
> your version?

My stuff focuses more on how to to write safety documentation and what
our motivations for certain conventions are. This gives a higher level
overview and useful on its own, so you can keep it.
I agree with Miguel that some of the wording should be improved. Maybe
he can help you with that.

-- 
Cheers,
Benno



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2024-02-08 10:37 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-06  6:54 [PATCH] docs: rust: extend abstraction and binding documentation Dirk Behme
2024-02-06  8:28 ` Valentin Obst
2024-02-06 19:35 ` Miguel Ojeda
2024-02-07  5:32   ` Behme Dirk (CM/ESO2)
2024-02-08 10:36     ` Benno Lossin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).